YEARBOOK OF EUROPEAN UNION AND 
COMPARATIVE LAW-YEUCL 
Vol.1, n.1, 2022 Article 2 


Strengthening trust and security in the EU cybersecurity 
policy 


George Bermanns 


DOI: 10.5281/zenodo.10577658 


Follow this and additional works at: 
https://yeucl.free.nf/index.php/yeucl 


Recommended Citation 


Bermanns, G. (2022). Strengthening trust and security in the EU 
cybersecurity policy. Yearbook of European Union and 
Comparative Law, vol.1, n.1, 42-79, Article 2 


Available at: 
https://yeucl.free.nf/index.php/yeucl/issue/current 


This article is brought to you for free and open access by CEIJ. It has been accepted 
for inclusion in Yearbook of European Union and Comparative Law. For more 
information, please contact: YEUCL@usa.com 


42 


STRENGTHENING TRUST AND SECURITY IN THE 
EU CYBERSECURITY POLICY 
DOI:10.5281/zenodo.10577658 


George Bermanns, PhD, Berkeley University. Attorney at Law, 
UK. 


Abstract: The present work deals with analyzing the legislation 
of Cybersecurity in the EU context. The European legislator has 
sought in recent years alongside foreign and defense policy to 
create an ad hoc order involving all the organs of the Union with 
the aim of tackling new types of crimes at European and 
international level. Our analysis seeks to address the new 
technological challenges and problems relating to cybersecurity 
by analyzing the acts of a binding or not nature of the Union 
which certainly show an application by the Member States that 
seems to be of a decisive nature for the evolution of the coming 
years of this sector as well as the demonstration that the EU 


rightly behaves in practice as a global player. 


Keywords: cybersecurity, restrictive measures, EU security, 
CFSP, CSDP, cybersecurity act, cybercrime, cyberspace, cyber 


resilience, cyber resilience 


Introduction 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


43 


International and national terrorism, organized crime, 
international security, and the Covid-19 pandemic are some of 
the topics under discussion regarding human security, especially 
within the EU (Axworthy, 1999; Cohen, 2001; Christou, 2016). 
The term security does not coincide with that of peace and 
international security does not in turn enter within the scope of 
the Common Foreign and Security Policy (CFSP). Since 2016 
we have noticed the EU's Global Strategy for Foreign Policy and 
Security (Zandee, 2016: Barbé, Morillas, 2019)', which actually 
reaffirmed the ad hoc guidelines of the European Commission 
(EC) and of the High Representative of the Union for Foreign 
Affairs and Security Policy, ie. the internal and external 
dimensions of security that are interconnected. Actually, the 
security issue of European citizens was based on the guidelines 
of the institutions, finding implementation in ad hoc legal 
instruments in particular according to the EC approach to crises 
concerning security and the notion of resilience across different 
policies’. 
The security of the citizens of the Union for the matter of 
cybersecurity is established on 16 December 2020°. The 

1Council of the European Union, A comprehensive strategy for the European 
Union's foreign and security policy, Brussels, 28 June 2016. 

2Communication from the Commission to the European Parliament and the 
Council, 2020 Forecasting Report. Strategic forecast: charting the course towards a 
more resilient Europe, Brussels, 9 September 2020, COM (2020) 493 final. 

3Joint Communication to the European Parliament and the Council, The EU 


Cybersecurity Strategy for the Digital Decade, Brussels, 16 December 2020, JOIN 
(2020) 18 final. 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


44 


cybersecurity has suggested a series of actions and tools to deal 
with cyber threats for the purpose of obviously safeguarding 
fundamental rights and freedoms. The purpose of each measure 
is the development of the resilience of infrastructures, as well as 
the strategic cooperation at an international level, to foster a 
cyberspace alongside the European legal area up to international 
cooperation for an open and secure cyberspace. A cybersecurity 
strategy that integrates together with other tools the different 
nature and purpose consistent with its objectives. It is a 
document entitled Shaping the digital future of Europe*, an 
organizational plan from the side of the EC°. A strategy for 
security in the European space®, of a global nature for the 
foreign and security policy of the Union according to the 
principles of the Strategic Agenda of the European Council 
2019-2024 (Chiara, 2022)’. 
Cybesecurity is: “(...) the set of activities necessary to protect 
the network and information systems, the users of these systems 

4Communication from the Commission, Shaping the digital future of Europe, of 
19 February 2020, COM (2020) 67 final. 

5Communication from the Commission, A time for Europe: repairing the damage 
and preparing the future for the next generation, Brussels, of 27 May 2020, COM 
(2020) 456 final. 

6COM(2020) 605 final. Communciation from the Commission to the European 
Parliament, the European Council, the Council, the European Economic and Social 
Committe and the Committee of the Regions on the EU Security Union Strategy, and 
in particular note 25. 

7See: Art. 2 (Definitions), n. 1, Regulation (EU) 2019/881 of the European 
Parliament and of the Council, of 17 April 2019, concerning ENISA, the European 
Union Agency for Cybersecurity, and the certification of cybersecurity for 


information and communication, and repealing regulation (EU) no. 526/2013, in OJ 
EU L 151 of 7 June 2019, p. 32. 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


45 


and other people affected by cyber threats (...)*, thus emerging 
the primary need for consistency (art. 13 (1) TEU and 7 TFEU)’ 
which claims the need for coordination between different 
policies in order to pursue an effective EU action"®. In this sense, 
cybersecurity constitutes a type of intervention (or a new 
“discipline”) in the European context. A sector that is not based 
on a distinct and specific competence attributed by the founding 
Treaties or, most recently, that of Lisbon (Blanke, Mangiamelli, 
2021)" 

The variety of initiatives, especially of a regulatory nature, make 
up a fragmented and constantly evolving legal framework. This 
is the spirit of our analysis which seeks to examine the 
coordination between the policies of the Treaties with the aim of 


creating a new “policy” in the European context, cybersecurity 


8Regulation (EU) 2019/881 of the European Parliament and of the Council, op. 
cit. 

9Art. 7 TFEU states: “The Union ensures consistency between its various policies 
and actions, taking into account all its objectives and complying with the principle of 
attribution of competences”. 

10Communication from the Commission to the European Parliament and the 
Council First progress report on the EU strategy for the Security Union, COM (2020) 
797 final of 9 December 2020: “(...) the threat posed by transnational terrorist 
networks clearly demonstrates that a coordinated EU action is indispensable for action 
that effectively protects Europeans, upholding our common values and the European 
way of life. The current situation indicates the emergence of increasingly complex 
cross-border and cross-sectoral security threats, making greater security cooperation 
at all levels even more essential. This applies to organized crime or drug trafficking, 
but cybersecurity constitutes, according to some, a new sector of intervention (or a 
new “discipline”), which however is not based on a distinct and specific competence 
attributed by the Treaties. Given the variety of initiatives, including regulatory ones, 
that make up a fragmented and rapidly evolving legal framework, this contribution 
aims to examine the coordination between the policies of the Treaties with the aim of 
achieving cybersecurity in the area of freedom, security and justice (...)”. 

11See in particular art. 95 TEU. 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


46 


in the area of freedom, security and justice. 


The regulatory “journey” of the cybersecurity in EU 

“Open” cyberspace is a type of project that gives the opportunity 
to express oneself freely and exchange ideas and information 
through the use of the dual use of the Network’’. The continuing 
security threats are hybrid and affect the system of fundamental 
rights and freedoms and above all the values of the Union. 
These are topics of discussion within the European institutions. 
The problem of malicious use of the internet requires greater 
cooperation in criminal matters between national authorities, i.e. 
the police and judicial authorities of the EU Member States. We 
are talking about a threat to security in the area of freedom, 
security and justice according to art. 67, par. 3 TFEU (Csonka, 
Landwehr, 2019, Blanke, Mangiamelli, 2021) which makes the 
acceleration of the use of digital technologies more problematic 
due to the limitations on the freedom of movement of people 
imposed by the period of the COVID 19 pandemic and so on. 


The level of commitment at European and especially regional 


12The concept of dual use, inherent in various technologies including Information 
and Communication Technology (ICT), “(...) refers to peaceful uses and therefore to 
the benefits deriving from the information society, on the one hand, and to the uses 
military or war, on the other hand. This concept was taken up by the G7 Summit in 
Taormina (26-27 May 2017) in which the commitment to defend cyberspace as an 
open space (...) that promotes the well-being of society, and at the same time it was 
decided to fight terrorism in its online manifestations (the rise of terrorism and violent 
extremism, including its manifestation online (...)”, so G7 Taormina Leaders! 
Communiqué, at point 4. 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


47 


level with the relative results obtained in this matter'* has 
resulted in the adoption of the Council of European Convention 
on Cybercrime (Budapest Convention)'* and also to further 
initiatives aimed at bridging the shortcomings of the discipline 
in question’®. We refer to the QR code discipline and the related 
discipline that has been used to deal with cybercriminals"®. 
Within this spirit we note the Regulation n. 460/2004 which 
established the European Union Agency for Cybersecurity 
(ENISA) and invited Member States to define their national 
strategies for cybersecurity. It follows the Regulation 2019/881 
(so-called “Cybersecurity Act’) which has taken steps to 
strengthen the mandate of ENISA  (Markopoulou, 
Papakonstantinou, De Hert, 2019; Radoniwicz, 2021)'’. 


13The attempt to adopt a global convention on cybercrime (proposal presented at 
the XII Congress of the United Nations, held from 12 to 19 April 2010) must also be 
remembered, which however failed due to the disagreement between the States. 

14Cybercrime Convention, opened for signature in Budapest on 23 November 
2001 and entered into force on 1 July 2004. D. Wicki-Bircher, The Budapest 
Convention and the general data protection regulation: Acting in concern to curb 
cybercrime?, in International Cybesecurity Law Review, 1, 2020, pp. 65ss. 

15In terms of cross-border cooperation for the purpose of acquiring digital proof 
abroad, it is necessary to mention the preparatory work in view of the adoption of the 
second Additional Protocol to the Budapest Convention. 

16CJEU, C-582/14, Breyer of 19 October 2016, ECLI:EU:C:2016:779, published 
in the electronic Reports of the cases, According to the Court: “(...) based on art. 7, 
letter f), of the directive on the protection of personal data, the processing of personal 
data is legitimate, in the absence of the consent of the data subject, if it is necessary 
for the pursuit of the legitimate interest of the data controller or of the third party or 
parties to whom the data is disclosed, provided that the interests or rights and 
freedoms do not prevail (...)”. 

17See Regulation (EU) 526/2013 of the European Parliament and of the Council 
of 21 May 2013 on the European Union Agency for Network and Information 
Security (ENISA) and repealing Regulation (EC) n. 460/2004, in OJEU L 165 of 18 
June 2013, pp. 41ss. Subsequently, the need for consistency of ENISA's mandate with 
the discipline introduced by the NIS directive, led to the adoption of Regulation (EU) 
2019/881, op. cit. notes 10.The five strategic objectives were as follows: dismantle 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


48 


Cyber security is a continuously evolving topic and an objective 
that continues to be central to the EU in the perspective of the 
creation of the market and the pursuit of trade values. 

The operational tools are functional according to the needs 
highlighted in the EU internal security strategy of 2010". 
Strategy that aims to increase the internal security of the EU 
through some strategy objectives’, as it was oriented and 
revised with the Commission Communication on the EU 
Strategy for the Security Union of 24 July 2020”. We note the 
establishment of ad hoc bodies which are entrusted with the 
management of risks in the cyberspace and coordination by the 
individual Member States. In this spirit, the European Center for 
the Fight against Cybercrime (EC3) was set up alongside 
Europol and the Cyber Emergency Response Team (CERT-EU), 


who are supported by the European Information Sharing and 


international criminal networks, prevent terrorism and counter radicalization and 
recruitment, increase security levels for citizens and businesses in cyberspace, 
strengthen security through border management and increase security. Europe's 
resilience to crises and disasters. 

18Communication from the Commission to the European Parliament and the 
Council The EU Internal Security Strategy in Action: Five Steps towards a Safer 
Europe, of 22.11.2010, COM (2010) 673 final, adopted for the period 2011-2014. 

19Communication from the Commission to the European Parliament and the 
Council The EU Internal Security Strategy in Action: Five Steps towards a Safer 
Europe, op. cit. 

20The recent strategy also updates the previous Communication from the 
Commission on the European Agenda on Security, of 28 April 2015, COM (2015) 
185 final, adopted for the period 2015-2020. In the EU Strategy for the Security 
Union, COM (2020) 605 final, adopted for the period 2020-2025, the Commission 
acknowledges the new threats to the security of European citizens, including the 
COVID-19 pandemic, and the massive use of digital technologies in society, which, 
however, cybercriminals have also used for malicious purposes. 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


49 


Alerting System (EISAS). 

These are tools in continuous development, which have 
increased the strengthening of the European Center for the fight 
against cybercrime, as happened with the adoption of the EU 
Law Enforcement Emergency Response Protocol, according to 
Commission recommendation no. 2017/1584 on the coordinated 
response to large-scale cybersecurity incidents and crises of 13 
September 20177'. In 2019, a European network of cyber crisis 
liaison organizations (EU-Cyber Crisis Liaison Organization 
Network (CyCLONe) was created, which has as its objective the 
coordinated management of large-scale cybersecurity incidents 
and crises and the guarantees of the regular exchange of 
information between Member States and EU institutions”. 

The European Parliament in its Resolution of 12 June 2012 on 
“Protection of critical computerized  infrastructures- 
achievements and next steps: towards global cyber security”” 
recommended that the Commission: 


“propose binding measures aimed at imposing minimum standards on 


21Commission Recommendation (EU) 2017/1584 of 13 September 2017 on 
coordinated response to large-scale cybersecurity incidents and crises, C/2017/6100, 
OJ L 239, 19.9.2017, p. 36-58. 

22According to ENISA: “The CyCLONe’s aim is to contribute to the 
implementation of the European Commission's Blueprint for rapid emergency 
response in case of a large-scale cross-border cyber incident or crisis and 
complements the existing cybersecurity structures at EU level by linking the 
cooperation at technical (e.g. Computer Security Incident Response Team-CSIRTs) 
and political levels (e.g. Integrated Political Crisis Response-IPCR)”. 

23Cross-border voluntary activities in the EU European Parliament resolution of 
12 June 2012 on recognising and promoting cross-border voluntary activities in the 
EU (2011/2293(IND). OJ C 332E , 15.11.2013, p. 14-22. 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


50 


security and resilience and improving coordination between national CERTs 
(...)” (no. 22). It also invited it to propose, by the end of 2012, “(...) a 
comprehensive EU strategy for internet security based on clear terminology 
(...). To establish minimum resilience standards between Member States, in 
order to ensure a secure, continuous, solid and resilient service, with 
reference to both critical infrastructures and general use of the internet (...) 
while ensuring (...) free flow of information and solid protection of privacy 
and other civil liberties (...)’(n. 32). 


The European Commission adopted the European Union 
strategy for cybersecurity: An open and secure cyberspace on 7 
February 2013 (Editorial, 2015, Arpagian, 2016) which began to 
find a basis in the directive of the European Parliament and of 
the Council on measures for a high common level of network 
security and information systems in the Union on 6 July 2016 
(NIS Directive), which constitutes the pillar which is currently 
under review™. The Strategy was adopted by the Commission 
and the High Representative of the European Union for Foreign 
Affairs and Security Policy as a far-reaching tool on 
cybersecurity”, extending its Union interventions to the three 


main areas of competence, namely the internal market, the area 


24Joint Communication from the Commission to the European Parliament and the 
Council of 13 September 2017, Resilience, Deterrence and Defense: Building strong 
cybersecurity for the EU, JOIN (2017) 450 final; Commission Recommendation of 13 
September 2017 on Coordinated Response to Large Scale Cybersecurity Incidents and 
Crises, C (2017) 6100 final; Proposal for a Regulation of the European Parliament and 
of the Council on ENISA, the “EU Cybersecurity Agency”, and repealing Regulation 
(EU) 526/2013, and on Information and Communication Technology cybersecurity 
certification (“Cybersecurity Act’), which to the adoption of Regulation 2019/881, op. 
cit. 

25As stated: “Cybersecurity commonly refers to the precautions and interventions 
that can be taken to protect cyberdomain, both civil and military, against threats 
associated with or that can harm their interdependent information networks and 
infrastructures. Cybersecurity aims to safeguard the availability and integrity of 
networks and infrastructure and the confidentiality of the information they contain 


ae 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


51 


of freedom, security and justice and the European security and 
defense policy. 

The related interventions are concentrated on five strategic 
priorities: 


“achieving cyber resilience”’; drastically reduce cybercrime; develop a policy 
related to the Common Security and Defense Policy (CSDP)*’; develop 
industrial and technological resources for cybersecurity; create a coherent 
international policy of the European Union on cyberspace and promote the 
constitutive values of the EU (...)””*. 


The strategic priorities just mentioned are developed at the basis 
of the continuous and rapid progress made in recent years as 
emerges from the relevant EU strategy on cybersecurity for the 
digital decade of 16 December 2020. 

The cybersecurity is a transversal and strategic objective of the 
European Union which aims to achieve the purposes indicated in 
art. 3 (lett. 1, 2, and 3) TEU (Blanke, Mangiamelli, 2021) on the 
basis of the system of attribution powers relating to: internal 


market, area of freedom, security and justice, common security 


26According to the ECB: “(...) cyber resilience refers to the ability to protect 
electronic data and systems from cyberattacks, as well as to resume business 
operations quickly in case of a successful attack”. Communication from the 
Commission to the European Parliament, the Council, the European Economic and 
Social Committee and the Committee of the Regions Strengthening Europe's cyber 
resilience system and promoting competitiveness and innovation in the cybersecurity 
sector, of 5 July 2016, COM (2016) 410 final; and the Commission Decision on the 
establishment of a contractual public-private partnership for information security 
(contractual PPP), of 5 July 2016, C (2016) 4400 final. 

27It is worth highlighting that in order to implement the Strategy, at the request of 
the European Council of December 2013 and on the proposal of the High 
Representative and in collaboration with the Commission and the European Defense 
Agency, the Council adopted the framework strategic EU Cyber Defense Policy 
Framework on November 18, 2014. 

28With regard to these strategic priorities, the European Union promotes a multi- 
stakeholder approach that leverages synergy with international partners and 
organizations, with the private sector and with civil society. 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


52 


and defense policy. It should be remembered that the Lisbon 
Treaty offered an impetus to the development of the area of 
freedom, security and justice that respects this security sector 
which: “today, in a very stagnant general legislative framework, 
the most concrete and interesting legislative dynamism of the 
Union (...)” (Blanke, Mangiamelli, 2021). European Union 
legislation continues to develop under the Budapest Convention. 
The sectors that involve the maintenance of public order and 
internal security remain within the competence of the Member 
States, according to the respect of cyber espionnage activities, 
ie. intelligence services (Blanke, Mangiamelli, 2021)”. In this 
sense, we have also noted the relative developments that are 
emerging in the context of the common security and defense 
policy with regard to the possibility of enforcing the solidarity 
clause according to the principles of the Union*’. 
In the area of internal market, the legislative interventions of the 
EU are also being organized aimed at the security of computer 
networks as well as the development of the market for products 
and services for cybersecurity®'. The cybersecurity of 

29Art. 4, par. 2 of the TEU expressly provides that “national security remains the 
exclusive competence of each Member State (...)”. 

30European Parliament resolution of 12 September 2013 on the European Union 
strategy for cybersecurity: an open and secure cyberspace, in OJ EU C 93 of 9 March 
2016, p. 112 ff. in which Parliament calls on the Commission to “take into account the 
risk of cyber attacks against Member States” in defining the future modalities for 
implementing the solidarity clause (article 222 of the TFEU), see par. 17. 

31Communication from the Commission to the European Parliament, the Council, 
the European Economic and Social Committee and the Committee of the Regions 


Strengthening Europe's cyber resilience system and promoting competitiveness and 
innovation in the cybersecurity sector, of 5 July 2016, COM (2016) 410 final and the 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


53 


technological products is an aspect of strategic importance, as 
reported and underlined by the EU strategy for the Security 
Union. In particular, the security of 5G networks is not 


1°, as well as the need to introduce and examine a 


accidenta 
European discipline that responds to the related needs that have 
emerged at the European level, in particular contracts for the 
construction of 5G networks in the Member States and the 
participation of non EU States, such as China and various other 
Eastern European countries. Within this spirit, remains 
unresolved the problem that enters the field of international 
private law of European Union concerning commercial disputes 
at multilateral level, a sector that is always evolving and 


complex in terms of the breadth of in-depth studies that it 


requires. 


The legal framework on European cybersecurity 
Cybersecurity crises have led to a regulatory framework that is 
always in line with the relevant EU treaties but remains 
fragmented and always evolving, requiring greater consistency 
and effectiveness of the regulatory acts adopted also in light of 
Commission Decision on the establishment of a contractual public-private partnership 
for cyber security (contractual PPP), of 5 July 2016, C (2016) 4400 final. 
32Recommendation (EU) 2019/534 of the European Commission of 26 March 
2019, Cybersecurity of 5G networks, C (2019) 2335 final, and the Communication 


from the European Commission Deploying secure 5G-Implementation of the EU 
toolbox, of 29 January 2020, COM (2020) 50 final. 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


54 


national security issues. 
Within this spirit we recall the 2016/1148 Directive, (“NIS 
directive”-Network and Information Security)**, which aims to 


create “a minimum common capacity” and 


“common security obligations for operators of essential services and 
suppliers of digital services in the EU through specific interventions that can 
enhance the overall efficiency of the EU (...)”**. 


The NIS directive has provided for a minimum standard level of 
security of networks and information systems (“adequate to the 
existing risk”) and introduces the related obligation for 
Member States to provide for certain subjects, i.e. operators of 
essential services and suppliers of digital services to notify the 
competent authority or the IT security intervention group of 
undue delay in the event of an incident. In this case, the 
incidents: 


“(...) have a significant impact (...) respectively on the continuity of the 
essential services provided or the supply of a digital service (a list of which is 
found in Annex III) (...)’°. 


A minimum harmonization directive that allows Member States 


33Directive 2016/1148/EU of the European Parliament and of the Council, of 6 
July 2016, laying down measures for a high common level of security of networks and 
information systems in the Union, in OJ EU L 194/2016, p. 1 ss, and the Proposal for 
a Directive of the European Parliament and of the Council on measures for a high 
common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148, 
COM/2020/823 final of 16 December 2020. 

34Par. 2 

35The directive therefore provides for similar obligations to adopt adequate and 
proportionate technical and organizational measures for risk management, taking into 
account “the most up-to-date knowledge on the subject”, see respectively art. 14, 
paragraph 1 (for operators of essential services) and art. 16 paragraph 1 (for digital 
service providers). 

36Online marketplace, online search engine, services in the cloud (cloud 
computing). There is also a “voluntary notification” mechanism (article 20) for 
subjects not belonging to the categories of operators of essential services and digital 
service providers for which notification is required. 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


55 


a more or less wide margin of appreciation with regard to “the 


level of security to be pursued and the measures to prevent cyber 


9937 


incidents to be adopted (...)”’’. The methods of application of the 


discipline are governed by the adoption of the Implementing 
Regulation no. 2018/151 of the Commission of 30 January 
2018°*. 

Each Member State designates one or more intervention groups 
relating to the exchange of information on risks and incidents, 
i.e. the Computer Security incident Response Team (CSIRT) 
where the relevant Cooperation Group collaborates and 
participates. The difference with respect to the previous 


37This entails, pursuant to art. 3 of the NIS Directive, that the States, without 
prejudice to article 16, par. 10 (which prohibits States from imposing additional 
security or notification obligations on digital service providers, which are not justified 
by national security requirements indicated in article 1, paragraph 6) may “(...) adopt 
or maintain provisions capable of achieving a higher level of security of the network 
and information systems (...)”. 

38Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 
laying down detailed rules for the application of Directive (EU) 2016/1148 of the 
European Parliament and of the Council as regards the further specification of the 
elements that digital service providers must take into consideration for the purposes of 
managing the risks posed to the security of networks and information systems and the 
parameters for determining the possible significant impact of an accident, in OJEU L 
26 of 31 January 2018, pp. 48- 51. In particular, pursuant to article 4: “An incident is 
considered to have a significant impact if at least one of the following situations 
occurs: a) the service provided by a digital service provider has not been available for 
more than 5.000.000 user hours, where user hours means the number of affected users 
in the Union for a duration of sixty minutes; b) the incident resulted in a loss of 
integrity, authenticity or confidentiality of the stored, transmitted or processed data or 
related services offered or accessible via a network and information system of the 
digital service provider which affected more than 100.000 users in the Union; c) the 
accident generated a risk to public safety, public safety or in terms of loss of life; d) 
the accident caused material damage exceeding EUR 1.000.000 for at least one user in 
the Union (...)”. 

39The Cooperation Group is composed of representatives of the Member States, 
the Commission and ENISA (article 11, paragraph 2). The cooperation activity for 
cybersecurity translates, among other things, into the analysis of risks and the 
adoption of reports, see most recently the NIS Cooperation Group Report of 9 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


56 


protection mechanisms consists in the notion of accident which 
also includes criminal activities and all that pre-established 
pursuant to the NIS directive “(...) any event with a real 
detrimental effect on the security of the network and information 
systems (...)” (Blanke, Mangiamelli, 2021)”. 

The term "attack" against information systems has been included 
in Directive no. 2013/40 according to the spirit of art. 83, par. 1 
TFEU3 (Blanke, Mangiamelli, 2021). It includes the 
harmonization of criminal laws of the Member States relating to 
the types of offenses listed in articles 3 to 7: Illicit access to 
information systems; unlawful interference with respect to 
systems; unlawful interference with data (Buttarelli, 2016); 
illicit interception and; tools used to commit crimes*'. Very 
important for our analysis is the definition of the crime of “illicit 
interference with regard to systems”. It has been defined as: 


“(...) the act of seriously obstructing or interrupting the functioning of an 
information system by entering computer data, transmitting, damaging, 
deleting, deteriorating, altering or suppressing of such data or making such 
data inaccessible, done intentionally and without right (...)””. 

The aforementioned definition is compatible with the notion of 


October 2019, EU coordinated risk assessment of the cybersecurity of 5G networks. 
The CSIRTs are designated by the Member States in accordance with art. 9. 

40Art. 4, n. 7. 

41The directive also aims to introduce criminal sanctions “for the creation of 
“botnets”, 1.e. for the action with which remote control of a significant number of 
computers is established by infecting them with malicious software by means of 
targeted cyber attacks. Once created, the infected network of computers that make up 
the “botnet” can be activated without the users' knowledge to launch a large-scale 
cyber attack (...)” (recital 5). 

42Commission Implementing Regulation (EU) 2018/151, op. cit., par. 7. 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


57 


accident according to the NIS Directive which defines the 
scope of application (article 1 (4)) and the binding acts of the 
Union adopted in specific sectors such as the banking sector and 
the financial market infrastructures“. 
The legal basis of the two directives mentioned in relation to the 
internal market and the area of freedom, security and justice 
requires the application of the consistency criterion in view of 
the systematic interpretation of the rules on cybersecurity. The 
identification of the risks of accidents, to prevent and deal with 
accidents as well as to mitigate their impact, i.e. the “risk 
management” measures fall within the obligations of the 
Member States provided for by the NIS Directive within the 
“National Safety Frameworks of the network and information 
systems”. 
A relative lack of homogeneity among the Member States in 
relation to the identification of subjects bound by the provisions 
of the directive and the notion of “operators of essential 
services”. In particular, the EC launched a public consultation 
(from 7 July to 2 October 2020) seeking to collect the related 
results from the Member States and to verify the implementation 
of the directive through meetings with the relevant operators and 
43The notion of “accident” defined in art. 4, no. 7 is consistent with the 
description contained in the Strategy at point 1.1. that cybersecurity incidents can be 
“intentional or accidental” and threats can have different origins, such as “criminal 
attacks, of a political or terrorist nature, or commissioned by a State, or be caused by 
natural disasters and unintentional errors. intentional”. 


44The regulation of which covers all operations including the security, integrity 
and resilience of networks and information systems. 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


58 


national authorities*. With regard to the consultation sector and 
the deadline for transposition of the directive (9 May 2018), the 
EC presented a new proposal for a directive to the European 
Parliament and the Council on measures for a high common 
level of cybersecurity in the Union, which repeals the directive 
(EU) 2016/1148, Brussels, 16 December 2020 (so-called NIS 
2) 

The NIS Directive has required Member States to take the 
necessary precautions for the purposes of processing personal 
data as part of the prevention and restoration of IT systems after 
the related IT incident*’. The progress made in recent decades in 
the regulation of personal data protection in the European Union 
and certainly in the field of personal data protection and human 
rights benefit from the perplexities raised by European doctrine 
and legislation. 

The legal basis referred to in Directive 95/46 was discussed: that 


is, article 114 of the TFEU (Blanke, Mangiamelli, 2021) which 


45Report from the Commission to the European Parliament and the Council 
assessing the consistency of the approaches adopted by Member States for the 
identification of operators of essential services in accordance with article 23 (1) of 
Directive 2016/1148/EU on the security of networks and information systems, of 28 
October 2019, COM (2019) 546 final. 

46COM(2020) 823 final. 

47With regard to the protection of personal data, the Regulation (EU) 2016/679 of 
the European Parliament and of the Council, of 27 April 2016, concerning the 
protection of individuals with regard to the processing of personal data, as well as the 
free circulation of such data, should be considered. Data and repealing Directive 
95/46/EC (general regulation on data protection), in OJ EU L 119 of 4 May 2016, p. 
Iss. 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


59 


establishes the competence in the field of harmonization in order 
to ensure the proper functioning of the internal market. This is 
not a legal basis used for the purpose of legislating the matter of 
protection of human rights. The European legislator has 
multiplied the way in this sector as it has been repeatedly 
examined by the Court of Justice of the European Union®. 

The practice has found a relative justification given that: 


“(...) an internal market competence to harmonize fundamental rights 
protection if certain conditions (...) are met. The precondition is that there 
are divergent national laws, which are liable to put the establishment and 
functioning of the internal market at risk or to distort competition (...)” 
(Kosta, 2015). 


After the Lisbon Treaty, the problem of the absence of a legal 
basis that stems from the non-adoption of specific articles on the 
subject in the Treaty has been resolved. The relative rule on the 
protection of personal data has been inserted (art. 16 TFEU) and 
the Charter of the Fundamental Rights of the European Union 
(CFREU) has assumed the same legal value as the Treaties. The 
related changes based on Regulation 2016/679 reflect the 
dynamic and integrated vision of EU rights and policies. 

The strengthening of the current institutional and regulatory 
framework is mentioned in the broader mandate that was given 
to the European Union Agency for Cybersecurity (ENISA) with 
its Regulation no. 2019/881 of 17 April 2019 (so-called 


48CJEU, C 491/01, British American Tobacco (Investments) and Imperial 
Tobacco of 10 December 2002, ECLI:EU:C:2002:741, I-11453. C- 58/08, Vodafone 
aqnd others of 8 June 2010, ECLI:EU:C:2010:321, I-04999. C-398/13, Inuit Tapiriit 
Kanatami and others v. European Commission of 3 September 2015, 
ECLI:EU:C:2015:535, published in the electronic Reports of the cases. 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


60 


“Cybersecurity Act’). The regulation based on art. 114 TFEU 


affirmed: 


“to achieve a high common level of cybersecurity throughout the Union, also 
by actively supporting the Member States, institutions, bodies and agencies 
of the Union in improving cybersecurity (...)” (art. 3, par. 1). 


ENISA has had extensive skills and is completed by the 
“European cybersecurity certification framework” with the aim 
of introducing a certification model for ICT products, a unified 
model that has overcome any conflicts and inconsistencies 
between different national certification models, thus 
strengthening the consumer and European citizens' confidence in 
ICT products according to the full realization and functioning of 
the digital single market. 

The European cybersecurity must be articulated in a more 
complex way and a strengthening of the technical and 
operational skills of the respective bodies involved emerges 
according to the collaboration between them, such as the 
cooperation between ENISA and Europol for the purpose of 
combating cybercrime. 

Member States have transposed some EU directives on 
cybercrime with relative delay. We recall that the goal was to 
promote harmonized criminal law. In particular, the EC tries to 
monitor the transposition of directives as well as_ the 
implementation of attacks against information systems. The 
related legislation formed a new Union policy that is not of 


primary necessity and therefore related delays are reported in the 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


61 


implementation, for example, of the 2011 directive on the fight 
against sexual abuse of minors. Therefore the EC has adopted an 
EU strategy for a fight with concrete results and in practice 
against the sexual abuse of minors. A final point of analysis 
concerns cross-border access to electronic evidence in criminal 
investigations”. We recall the EC proposals on cross-border 
access to electronic evidence of April 2018, where the European 
Parliament has not defined its position and the legislative 
procedure has not been completed (Bachmaier Winter, Ruggeri, 
2022)°°. The issue is the subject of international negotiations 
within the United Nations and the Council of Europe for the 
adoption of a second additional protocol to the Cybercrime 
Convention: bilaterally according to the conclusion of an EU- 
US agreement on cross-border access to electronic evidence. 

The lack of political will of the Member States that “slowly” 
decide and adopt the relevant regulations for the safety of 
European citizens, however, constitutes a non-permanent 
obstacle to the activity of the judicial bodies for the creation of 


the area of freedom, security and justice. 


49See in argument the SIRIUS European Union digital evidence situation Report, 
3rd Annual Report of 2021. 

50COM/2018/226 COM (2018) 226: Proposal for a Directive of the European 
Parliament and of the Council laying down harmonised rules on the appointment of 
legal representatives for the purpose of gathering evidence in criminal proceedings 
and COM/2018/225. Proposal for a Regulation of the European Parliament and of the 
Council on European Production and Preservation Orders for electronic evidence in 
criminal matters. 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


62 


CFSP, cyberscurity and restrictive measures 
The “European Union strategy for cybersecurity: An open and 
secure cyberspace” of 2013 is widely referred to the notion of 
“cyberspace", as the latter was developed by NATO”. The term 
is used primarily in the acts adopted under the CFSP and the 
CSDP, in relation to the objective of achieving the EU “cyber 
defense” through an EU strategic framework on cyber defense 
which was adopted in 2014 and updated in 2018°. A functional 
link has been noted between the availability and access to a 
secure cyberspace that comes through the development and 
resilient cyber defense capability, as well as the implementation 
of CSDP missions and operations and the objectives of the 
CSDP. 
European legislation has as its purpose the cyber defense 
capacity of the Member States and to protect the integrated and 
harmonized European security and defense infrastructures 
within the limits of the current intergovernmental method*’. The 

51The cyberspace affirms that: “(...) as the fifth domain of military activity, 
equally critical to European Union (EU) Common Security and Defence Policy 
(CSDP) implementation as the domains of land, sea, air, and space (...)”. 

52Council of the European Union, EU Cyber Defense Strategic Framework, 
Brussels, 18 November 2014 and, subsequently, EU Cyber Defense Strategic 
Framework (updated to 2018), Brussels, 19 November 2018 “(...) updated strategic 
cyber defense framework is to further develop the EU cyber defense policy taking into 
account appropriate developments in other relevant fora and sectors as well as the 
implementation of the aforementioned framework since 2014 (...)”, par. 2. 

53In this sense: “The EU Cyber Defence Policy Framework (CDPF) supports the 
development of cyber defence capabilities of EU Member States as well as the 
strengthening of the cyber protection of the EU security and defence infrastructure, 


without prejudice to national legislation of Member States and EU legislation, 
including, when it is defined, the scope of cyber defence”, par. 2. 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


63 


aims of the EU are: to promote civil-military cooperation with 
other cyber policies of the EU with relevant institutions and 
agencies of the EU, as well as the private sector. In particular, to 
promote the improvement of training, education and cooperation 
opportunities, the strengthening of cooperation with 
international partners, especially through NATO objectives. 

The recent years relative developments have allowed the Union 
to make considerable progress in cyber defense and the policies 
of the EU relating to cyberspace. 

With regard to cyber defense, the Council adopted on 19 June 
2017 the related framework on the EU's common diplomatic 
response to malicious cyber activities, such as the “Cyber 
Diplomacy Toolbox” (Wessel, 2021; Matera, 2016). In 
particular the Council affirms that: 


“(...) a common and comprehensive EU approach to cyber diplomacy could 
help prevent conflicts, reduce cybersecurity threats and increase stability in 
international relations (...)”. 


According to the conclusions of the Council of 2017 and the 


related follow-up’, the following were adopted: “(...) 


54Council conclusions on a framework for a joint EU diplomatic response to 
malicious cyber activities (“Cyber Diplomacy Toolbox”), of 19 June 2017. Council 
Decision (CFSP) 2020/1127 of 30 July 2020 amending Decision (CFSP) 2019/797 
concerning restrictive measures against cyber-attacks threatening the Union or its 
Member States; Council Implementing Regulation (EU) 2020/1125 of 30 July 2020 
implementing Regulation (EU) 2019/796 concerning restrictive measures against 
cyber-attacks threatening the Union or its Member States. 

55Conclusions of the Council of 16 April 2018 on malicious cyber activities and 
the conclusions of the European Council of 28 June 2018 and 18 October 2018 which 
underlined: “(...) the need to strengthen capacities against cybersecurity threats arising 
from outside the Union and to improve the ability to respond to and prevent cyber 
attacks through restrictive measures to be adopted as a follow-up to what was 
established in the Council conclusions of 19 June 2017”. 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


64 


restrictive measures against cyber attacks (...) with the specific 
purpose of preventing and countering cyber-attacks in the 
context of the CSDP (...)”. 

In this spirit, we report the Decision (CFSP) no. 2019/797 of the 
Council of 17 May 2019 relating to restrictive measures against 
cyber attacks that threaten the Union” or its Member States and 
Regulation no. 2019/796 of the Council of 17 May 2019 
concerning restrictive measures against cyber attacks that 
threaten the Union or its Member States”’. 

We are talking about measures that have as their purpose the 
limitations on entry and transit in the territory of the Member 
States, as well as measures for freezing the funds and economic 
resources of natural or legal persons, groups and non-state 
entities held responsible for cyber attacks that have brought 
facilitated support to cyber attacks. In particular, art. 1 of the 
Decision for the application of restrictive measures requires that: 


“(...) cyber attacks produce or are also potentially suitable for producing 
significant effects on information systems, and in particular (...) on the 
critical infrastructures of the Member States, and which constitute an external 
threat to the Union or its Member States (...)”. 


Article 3 of the Decision clarifies what is meant by: 


“(...) significant effects on the basis of a series of parameters concerning, 
inter alia, the scope, extent, impact or severity of the disturbances caused, the 
number of natural or legal persons, or of the Member States concerned (...). 


56Council Decision (CFSP) 2019/797 of 17 May 2019 concerning restrictive 
measures against cyber-attacks threatening the Union or its Member States, 
ST/7299/2019/INIT, OJ L 129], 17.5.2019, p. 13-19. 

57Council Regulation (EU) 2019/796 of 17 May 2019 concerning restrictive 
measures against cyber-attacks threatening the Union or its Member States, 
ST/7302/2019/INIT, OJ L 1291, 17.5.2019, p. 1-12. 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


65 


The measures seem questionable in terms of their effectiveness due to the 
very nature of cyberspace due to the fact that criminal or terrorist activities 
can be carried out without the need for any physical presence on the territory 
of the State of the person who operates on the network or through the 
computer network (...), some effect can be recognized to them at least on a 
political level (...)” (Moret, Pawlak, 2017)*. 


The Council first adopted restrictive measures against certain 
natural and legal persons through the Council Decision on 
restrictive measures against cyber attacks threatening the Union 
or its Member States of 30 July 2020 and the Implementing 
Regulation (EU) 2020/1125 of the Council of 30 July 2020, 
which actually implements Regulation (EU) 2019/796, 
concerning restrictive measures against cyber attacks that 
threaten the Union or its Member States*. Finally, within this 
space, the Decision (CFSP) 2020/1537 of the Council of 22 
October 2020 amending the Decision (CFSP) 2019/797 has 
included two other subjects and one body in the list established 
by the previous decisions. 

Let us not forget the High Representative of the Union for 
Foreign Affairs and Security Policy who is committed to 
promoting the EU's “resilience”, “deterrence” and “defense” 
against cyberattacks, as noted in the joint Communication with 


the European Parliament and the Council for resilience, 


58“(...) push forward the conversation about similar measures within the UN 
context”. 

59Council Implementing Regulation (EU) 2020/1125 of 30 July 2020 
implementing Regulation (EU) 2019/796 concerning restrictive measures against 
cyber-attacks threatening the Union or its Member States, ST/9568/2020/INIT. OJ L 
246, 30.7.2020, p. 4-9. 

600J EU L 3511 of 22 October 2020, p. 5. 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


66 


deterrence and defense: towards a strong cybersecurity for the 


EU on 13 September 2017°'. The Communication reconstructs: 


“(...) the state of art in the field of cybersecurity in the European Union and 
illustrates a complex set of possible Union actions in all areas of interest 
concerning cyberspace: from the digital market to the protection of personal 
data, the fight against cybercrime, EU foreign and defense policy, external 
relations (...)”. 


Thus an interesting and articulated definition of “cyberspace” 
emerges: 


“(...) The EU considers cyberspace a field of operations such as land, air and 
sea. Cyber defense interventions also include the protection and resilience of 
space systems and related terrestrial infrastructure (...)’””. 


In the same perspective of “cyberresilience”®’, the Declaration of 
High Representative Josep Borrell, on behalf of the European 
Union, regarding the malicious cyber activities exploiting the 
coronavirus pandemic of 30 April 2020 should be mentioned. 

The European Parliament in the Resolution of 13 June 2018 on 
cyber defense emphasizes the link between the civil and military 
sectors, including products of the EU industry, placed on the 
market, dual use products™. The objective of improving the 


efficiency of the Union and the Member States in the field of 


61Bruxelles, 13 September 2017, JOIN(2017) 450 final. 

62par. 19. 

63As the Commission points out in the EU Cybersecurity Strategy: An Open and 
Secure Cyberspace 2013: “(...) to promote cyber resilience in the EU, public 
authorities and the private sector need to build capacity and cooperate effectively. 
Building on the positive results achieved through the activities carried out so far, 
further EU interventions can contribute in particular to tackling cyber risks and threats 
with a cross-border dimension and preparing for a coordinated response in emergency 
situations. In this way, the proper functioning of the internal market will be concretely 
supported and the internal security of the EU will be strengthened (...)”, par. 5. 

64European Parliament resolution of 13 June 2018 on cyber defence 
(2018/2004(CIND). 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


67 


investment and defense spending foster the strategic autonomy 
of the EU by launching a permanent structured cooperation 
(PESCO) which also proposes the aid of several approved 
projects, namely strengthening the cyber defense of the EU. 

The initiatives described are part of the Global Strategy for the 
foreign and security policy of the European Union (so-called 
Global Strategy) with the aim of harmonizing the different 
integration of EU policies and linking the internal and external 
dimension of the Union in order to achieve far-reaching 


objectives relating to the general aims of the Treaties. 


Coordination of EU cybersecurity policies 
The European legislation as we have seen so far is vast® and the 
need for coherence between the policies of the EU requires a 
coordination of initiatives adopted on the basis of the 
competences attributed by the TFEU, i.e. material policies not 
limited to part V relating to the external action of Union and of 
the TEU referring to the common foreign and security policy. It 
should be noted that the interpretation of the rules of the treaties 

65Council of the European Union, A global strategy for the foreign and security 
policy of the European Union, of 28 June 2016, CFSP/CFSP 543, CSDP/CSDP 395. 
The implementation of the Global Strategy was initiated on the basis of the Plan of 
implementation on security and defense presented by the High Representative on 14 
November 2016, followed by further developments. 

66As it is mentioned: “(...) the interest in the stability and security of cyberspace 
appears transversal to the various EU policies and is condensed into the concept of 


cybersecurity with equally vague and indefinite outlines if not declined in a functional 
sense in the different sectors of activity. 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


68 


in post Lisbon practice calls into question contradictions to the 
aforementioned coordination with reference to art. 40 TEU and 
art. 21, par. 3 TEU (Blanke, Mangiamelli, 2021). The 
coordination of cybersecurity policies requires a systematic 
interpretation of the rules in question, under penalty of 
achieving the same cybersecurity objectives highlighted by the 
guidelines of the European Commission and the High 
Representative for Foreign Affairs and Security Policy. 

A need for consistency in relation to the restrictive measures 
adopted according to art. 215 TFEU (Blanke, Mangiamelli, 
2021) against individuals identified as responsible for malicious 
actions in cyberspace, such as cyber attacks or acts of 
cybercrime and other policies of the TFEU according to the 
respect and harmonization of the area of freedom, security and 
justice. It is about the protection of European citizens from 
criminal offenses or from violations of their privacy through the 
use of the network and to ensure the wide area of protection of 
the fundamental rights of people subjected to such restrictive 
measures in the area of security and justice. 

The Union seeks to measure not only a legal but also a political 
role as a global actor in terms of cybersecurity based on the 
sector of external relations with third States and international 
organizations. Think of bilateral relations with third countries, 


i.e. in relation to networks with 5G technology that take into 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


69 


account the security standards established for digital 
technologies in the internal market, compliance with the 
certifications that are introduced through Regulation no. 
2019/88 and the regulation on privacy, as well as participation in 
the working groups of the UN for the definition of responsible 
behavior rules for States in cyberspace®’. Cross-border 
cooperation between national authorities and the collection of 
digital evidence of crimes and the fight against cybercrime as 
well as the prevention of cyber attacks and the management of 
large-scale incidents should be considered in this regard. 

Within this circle of analysis, the close correspondence between 
objectives and competences of the EU is recalled (Neframi, 
2010, Elsuwege, 2010; Cannizzaro, 2013). The competences 
attributed in the context of a specific policy could be used to 
achieve the objectives related to the general ones of the EU 
rather than limiting their exercise to a specific policy. The 
reasoning is evident in the unity of the European Union and 
paves the way for coordination between policies, in particular 
the CFSP and the material policies governed by the TFEU. 

One obstacle to coordination is the rather different nature of the 
competences in which it deals. Policies as an expression of the 
~ 67Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 
April 2019 on ENISA and on information and communications technology 
cybersecurity certification and repealing Regulation (EU) No 526/213 (Cybersecurity 


act). See asl the work of the Group of Governmental Experts (GGE) and the UN 
Open-Ended Working Group (OEWG). 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


70 


intergovernmental method and those of an economic and social 
nature in matters of integration are prerogatives respected 
according to art. 40 TEU which affirms a clear separation 


between the areas considered and as a consequence: 


“(...) dentraver Ll’action coordonnée de l'Union et finalement de 
compromettre son ambition de se présenter comme un acteur politique global 
(...)” (Cannizzaro, 2013). 


Furthermore, art. 21, par. 3 TEU establishes that: “the Union 
ensures coherence between the various sectors of external action 
and between these and other policies”. The Council and the 
Commission, assisted by the High Representative of the Union 
for Foreign Affairs and Security Policy, ensured this consistency 
and cooperate to this end (Blanke, Mangiamelli, 2021). 

Another point of coordination between the policies of TFEU and 
the CFSP concerns the restrictive measures against people who 
have committed the related crimes in the area of the Union. 
Restrictive measures according to art. 215 TFEU as a result of a 
political act within the CFSP and coordination as is for example 
the policy governed by the TFEU. We do not elaborate on the 
related articles on the subject and on the point of the criminal 
conduct of private individuals to third States and the related 
cyber attacks but we deal with the attempt of coordinating the 
institutions according to the assumptions established in art. 215 
TFEU (Van Elsuwege, 2011; Blanke, Mangiamelli, 2021). 
Coordination between policies of the EU is a first step towards 


integration according to art. 21, par. 3 TEU (Blanke, 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


71 


Mangiamelli, 2021). Thus a third way that goes back as: 


“(...) an informal negotiation and on the search for mutual consent between 
States and supranational institutions (...)”. (...) The attenuation of the 
rigorous principle of the assigned competences (...) would offer the benefits 
of the coherence and efficiency of EU cybersecurity initiatives (...)” 
(Cannizzaro, 2013). 


The area of freedom, security and justice through the 
coordination of the action of different actors and subjects and 
according to the intergovernmental logic is directed towards pre- 
established positions by the Institutions, such as_ the 
effectiveness of a strong model in sectors such as cybersecurity 
that are found in an initial phase of regulation that for all 
scholars it is obvious that cybersecurity needs for the next few 


years. 


Concluding remarks 

The absence of an assigned competence is compensated by the 
guidelines of the institutions and by the use of art. 114 TFEU 
(Blanke, Mangiamelli, 2021). The practice on coordination 
between TFEU and CFSP policies reveals the usefulness in 
defining the action of the Union in terms of complementarity 
through cybersecurity initiatives. 

The harmonization sector is logical that it presents itself to all 
the policies of the EU, why not also in the cybesecurity sector 
and to the national disciplines that enter the sector of digital 
products, the certification of cybesecurity and the risk 


management mechanisms that the States Members continue to 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


72 


perform on the one hand following intergovernmental 
cooperation and on the other hand reinvigorating national law 
supported by an architecture based both at European and 
international level in an articulated and fairly clear manner 
despite the complexity of the policy. 
The Budapest Convention on cybercrime was a very important 
reference point for the evolution of protection for the acquisition 
of digital evidence abroad. There is an unexplored area relating 
to the so-called active cyber-defense which concerns the activity 
of professionals assisted by intelligence strategies capable of 
influencing and capturing specialized markets and above all the 
circulation of personalized digital products and_ services, 
obviously including malware or ransomware intended to feed 
illicit and criminal activities and to prevent complexes cyber 
attacks or incidents which may also include international 
liability. 
Digital Europe and the strategic priority according to the current 
program of the European Commission are topics and points of 
reference in the EU strategy on cybersecurity. The strategy 
reflects the transversal approach to various EU policies relating 
68The strategy aims to intervene through regulatory, investment and policy tools 
in three main areas: 1. resilience, technological sovereignty and leadership; 2. 
Development of operational capabilities aimed at prevention, deterrence and response; 
and 3. Promotion of a global and open cyberspace. European Commission, New EU 


cybersecurity rules ensure more security hardware and software and software 
products, Press release, 15 September 2022. 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


73 


to the internal market, the free movement of goods, the area of 
freedom, security and justice and CFSP. The guidelines on the 
security of networks and information systems (NIS) and the 
promotion of cooperation between different stakeholders, 
include the joint unit for cyberspace (Cannizzaro, 2013), which 
establishes the so-called “cybersecurity shield for the EU”, 
where the strategy identifies concrete tools to combat 
cybercrime. Strengthening cooperation between Europol and 
ENISA and improving the capacity of law enforcement agencies 
to investigate cybercrime, with primary reference to the fight 
against online sexual abuse of minors and digital investigations, 
including crime in the dark net and the development of common 
procedural rules will be defined with the support of the 
laboratory and the innovation of the Europol organization. 

The tools and policies adopted internally are based on the tools 
of EU cyber diplomacy through the framework of restrictive 
measures currently in force. The strategy proposes interesting 
changes to the legal framework that we already have in place as 
we have seen and which aim to strengthen some aspects of 
overcoming coordination between EU policies. An extension 
and/or reform of the restrictive measures envisaged is still 
possible, through the evaluation of “further options”. The 
strategy allows for the adoption of qualified majority voting for 


the inclusion of additional persons in the lists attached to the 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


74 


CFSP decision and in the context of horizontal sanctions against 
cyber attacks (Cannnizzaro, 2013). The Council decision 
regarding the drafting and modification of the aforementioned 
lists, established by Regulation 2019/796 establishes a 
manifestation of the intergovernmental method which tends to 
be mitigated in the near future. 

This aspect together with the evolution of the EU sanctioning 
regime, i.e. sanctions against third States and individual 
subjects, wherever they are, for related violations concerning 
certain issues: eg. cyber attacks, outline a new EU security 
objective alongside the space policy of freedom, security and 
justice in CFSP. The strategy integrates cyber diplomacy tools 
into EU crisis and action coordination mechanisms with 
objectives and tools that seek to counter hybrid threats according 
to the action plan for a European democracy. 

Overall, the cybersecurity objectives of the EU need systematic 
coordination between different policies. The effectiveness of the 
aforementioned legislation which is still in progress will depend 
on the level of consistency that the institutions of the EU and the 
Member States will be able to impart to their action. The current 
result is large and small but increasingly open for the near future 
and measured in terms of internal security in the area of 
freedom, security and justice and in the international dimension 


within which the Union can make a significant contribution as a 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


75 


global player not through the EC, as the main body for this work 


on a “world” level but by all the institutions. 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


76 


References 

Arpagian, N. (2016). L’Europe de la sécurité numérique: trés 
juridique, mais guére technologique, et encore insuffisamment 
économique. F.F.E. Annales des Mines-Réalités industrielles, 
2016/3, 51 -54. 

Axworthy, X. (1999). La sécurité humaine: la sécurité des 
individus dans un monde en mutation. Politique étrangeére, 64 
(2), 337ss. 

Bachmaier Winter, L., Ruggeri, S. (2022). Investigating and 
preventing crime in the digital era: New safeguards, new rights, 
ed. Springer, Berlin, 125ss. 

Barbe, E., Morillas, P. (2019). The European Union global 
strategy. The dynamics of a more politically integrated foreign 
policy. Cambridge Review of International Affairs, 32 (6), 
756ss. 

Blanke, H.J., Mangiamelli, S. (2021). Treaty on the Functioning 
of the European Union. A commentary. ed. Springer, Berlin. 
Buttarelli, G. (2016). The EU GDPR as a clarion call for a new 
global digital gold standard. International Data Privacy Law, 2. 
Cannizzaro, E. (2013). L’intéraction entre objectifs politiques et 
compétences matérielles dans le systéme normatif de Il’Union 
européenne. In E. Neframi (sous la direction de), Objectifs et 
compétences dans |’Union européenne. ed. Larcier, Bruxelles, 


211-228. 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


77 


Chiara, D.G. (2022). The IoT and the new European Union 
cybersecurity regulatory landscape. International Review of 
Law, Computers & Technology, 36 (2), 119ss. 

Christou, G. (2016). Cybersecurity in the European Union. 
Resilience and adaptability in governative policy. Palgrave 
Macmillan, London. 

Cohen, R. (2001). Cooperative security: From individual 
security to international stability. Marshall Center Papers, n. 3. 
Csonka, P., Landwehr, O. (2019). 10 years after Lisbon. How 
“lisbonised” is the substantive criminal law in the European 
Union?. EUCRIM, 4, 264ss. 

Editorial, (2015), A regional strategy for cybersecurity. 
International Journal of Information Security & Cybercrime, n. 
I, 7ss. 

Elsuwege, P. (2010). EU external action after the collapse of the 
pillar structure: In search of a new balance between delimitation 
and consistency. Common Market Law Review, 47, 987- 1019. 
Kosta, V. (2015). Fundamental rights in EU internal market 
legislation. Oxford University Press, Oxford, 8ss. 

Markopoulou, D., Papakopnstantinou, V., De Hert, P. (2019). 
The new European Union cybersecurity framework. The NIS 
Directive ANISA’s role and the general data protection 
regulation. Computer Law & Securtiy Review, 35 (6). 


Matera, C. (2016). Some reflections on the nature and scope of 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


78 


the externalisation of the AFSJ domains. In M. Fletcher, E. 
Herlin-Karnell (eds), The European Union as an area of 
freedom, security and justice. Routledge, London, New York, 
358ss. 

Moret, E., Pawlak, P. (2017). The EU cyber diplomacy toolbox: 
Towards a cyber sanctions regime?. European Union Institute 
for Security Studies, 4ss. 

Neframi, E. (2010). L’action extérieure de l’Union européenne: 
Fondements, moyens, principes. LGDJ, Paris. 

Radoniewicz, F. (2021). Cybsersecurity in the European Union 
law. In K. Chatubinska-Jentkiericz, D. Radoniewicz,  T. 
Zielenski, Cybersecurity in Poland. Legal aspects. ed. Springer, 
Berlin, 2021, 76ss. 

Van Elsuwege, P. (2011). The adoption of “targeted sanctions” 
and the potential for interinstitutional litigation after Lisbon. 
Journal of Contemporary European Research. 7 (4), 489ss. 
Wessel, R.A. (2021). European law and cyberspace. In N. 
Tsagourias, R. Buchan (eds). Research handbook on 
international law and cyberspace. Edward Elgar Publishing, 
Cheltenham, 492ss. 

Wicki-Bircher, D. (2020). The Budapest Convention and the 
general data protection regulation: Acting in concern to curb 
cybercrime?. Jnternational Cybesecurity Law Review, 1, 65ss. 


Zandee, D. (2016). European Union global strategy from design 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


79 


to implementation. Atlantisch Perspectief, 40 (3), 26-28. 


Yearbook of European Union and Comparative Law-YEUCL, vol. 1, 2022 ISSN:2732-9909 


